‘Yesterday I learned that there was unauthorized access to a Patreon database containing user information.’ Jack Conte, CEO Patreon
Patreon, the crowd funding website, suffered a breach last week. The cause was an unguarded development server, which was left online. According to Patreon’s CEO, Jack Conte, the development server was accessed by a third party, and customer contact information was stolen.
Unfortunately for Patreon and its customers, the development server housed a snapshotted version of one of Patreon’s main databases, which stored the leaked customer information.
To the best of Conte’s knowledge, no passwords were leaked:
We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.
Development servers may not seem like an attack vector. However, the Las Vegas Sands Corp suffered a catastrophic breach in 2014; Iranian hackers broke into the network using an unguarded development server.
Breaches like these are indicative of a larger issue facing security organizations -- vulnerabilities in third-party cloud services that are used by departments outside of IT to stand up corporate digital assets. According to studies, 30% of IT spending occurs outside the IT department.
The root of the problem is that most enterprises espouse a ‘siloed mentality’. Inter-departmental cooperation is largely nonexistent and often discouraged. The meetup point for IT used to be the data center, but that is no longer the case.
Security has a real problem. It's increasingly left in the dark until an incident occurs. This trend is proliferating across enterprises of all sizes. Moving forward, CISOs will increasingly be forced to address security incidents occurring outside their perimeter.
Conventional wisdom would suggest that more stringent policy and enforcement of internal IT practices would prevent these problems. However, it isn’t that simple any longer.
These developments have led to the rise of digital footprint security; this approach is designed to lower an organization’s exposure to threats that reside outside the firewall.